Semi-Electronic Bank Robbery

The AP has a story about an electronic bank robbery foiled when a bank employee pulled the plug on the robbers’ network connection.  Apparently the robbers had gained physical access to the employee’s workstation at some point, and installed “advanced technical equipment” underneath the desk to remotely control the computer.

I would guess that the “advanced technical equipment” consisted of a cheap consumer wireless access point.  The attack probably went something like this:

As for the somewhat dramatic line “By pulling out the cable to the device, the employee managed to stop the intended transfer at the last second,” this is obviously meant to evoke movie scenes where there’s some progress bar on the screen marked “Transferring funds…” that gets interrupted at 99% by the heroic employee cutting the cable.  However, what’s more likely is that the employee looked at his computer, noticed the mouse moving on its own, clicking buttons to transfer funds and entering in an amount.  Before the button to confirm the transaction could be pressed, the remote control was disconnected so the transfer was never started.

This is an interesting attack in that it doesn’t really fit the profile of a traditional bank robbery, but neither is it a completely electronic theft.  The attackers had to have had physical access to the bank, but they didn’t use it to get at the money — they used it to get to the computers.

Security measures are targeted.  The bank’s physical security consists of cameras watching teller stations and heavy vault walls and doors guarding the money.  This is targeted at stopping two attacks — the vault stops simple burglary (walk in at night and grab the money), while the cameras detect employee fraud by tellers and armed robbery by customers.  Meanwhile, the bank’s electronic security consists of firewalls, intrusion detection systems, and access control systems that stop people from outside the bank from accessing the systems.

This attack went around both.  The physical security was not set to stop people tampering with desktop computers — there’s no money there!  Someone was thus able to either sneak in or social-engineer their way to the desk and tamper with equipment undetected.  The electronic security is not meant to stop someone actually sitting at a computer who has logged in with legitimate credentials — they’re supposed to be able to move money around.  By combining an electronic breach with a physical one, the attackers managed to be “sitting at the computer” while actually nowhere near it.  It’s an ingenious plan, and one of those rare cases where a rather elaborate “heist movie plot” sort of attack was attempted.

They were stopped by one of the most powerful countermeasures available — a vigilant employee.  However, there is a lesson to be learned from this: Physical security is important!  If an attacker has unmonitored physical access to hardware, he can modify it to do anything he wants.  No passwords or credentials are needed if he can reboot the system with a flash drive or CD-ROM.  How many of your company’s electronic countermeasures would be rendered useless by an attacker who could remotely control a computer inside the perimeter, or even just had a network tap to the internal network behind the firewall?  In most companies, it’s not too hard to gain physical access, usually by impersonating a service employee of some kind (janitorial staff, phone company employee, etc.)  Presumably the attackers who had physical access were in a hurry, since they put the AP under the same computer they were controlling; with more time, they could have compromised one computer and hidden the AP somewhere entirely different, making it harder to find and pull the plug.  Of course, if the employee was thinking clearly (and he probably was, since he thought to pull the plug at all), he still could have simply switched the computer off, so this wouldn’t have done a lot of good.

Also, it’s worth periodically searching for rogue access points.  Not only might an attacker install one deliberately, but employees in businesses without wireless networks have been known to install a wireless AP under their desks simply for convenience.  Often, these are configured very poorly, with no security or encryption at all.  Rogue APs can be detected in a variety of ways; if you have the luxury of having access to a product like Aruba Networks’ RFProtect (which was called Network Chemistry last time I used it, but seems to have since been acquired by Aruba,) monitoring can be automatic and continuous.  If not, there are still open-source rogue scanners, and even simple tools like the aircrack-ng suite can be used to look around, though it’s considerably less automatic (and thus more time-consuming) to do it that way.

This also points out the importance of defense in depth.  Host-based firewalls and intrusion detection might detect an attack like this, but traditional perimeter defenses like firewalls and NIDS are useless against it.  Layers of security, designed to interfere with different types of attacks, always provide much more security than any single countermeasure.

attacks, networks, physical security

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.